(no title)

Pinning certs has generally been discouraged for a while afaik. It's pretty trivial to bypass, at least on Android where you can side load easy, and it's a pain in the ass to manage with a huge potential to just take down your app if you mess it up

If it's intentional, the only thing I can think of is access from corporate networks where SSL-intercepting proxies are absolutely common.

I see the lack of cert pinning as a sign of having a good security team. Pinning is usually implemented as "we had an external security audit and their report said we should". Security auditors and pentesters tend to add this kind of crap (alongside root detection and obfuscation) to their reports to pad them out and make their work sound more valuable to the paper-pushers. So either Lyft had their audits done by a competent provider, or their staff know enough to filter this bullshit out. Either way, props.